The Austrian discount market Hofer and it’s mobile brand Hofer Telekom (HoT) started to sell a ZTE MF833V broadband usb modem, yesterday.

It is the successor of the MF831 and features a LTE Cat4 device in CDC mode. It was specified for GSM 850/900 @35dBm, GSM 1800/1900 @ 32 dBm, UMTS I/VIII  @28dBm and LTE 3/7/8/20 @25dBm.

As opposed to the „mini“ SIM form factor, it is equipped with  „micro“ SIM card slot.

When plugging the stick into an USB port of my computer, lsusb reports:

Bus 001 Device 074: ID 19d2:1225 ZTE WCDMA Technologies MSM

which is beeing switched to
Bus 001 Device 075: ID 19d2:1405 ZTE WCDMA Technologies MSM

shortly after.

dmesg reports, MAC partially censored here:

[645228.134041] usb 1-2: new high-speed USB device number 74 using xhci_hcd
[645228.294170] usb 1-2: New USB device found, idVendor=19d2, idProduct=1225, bcdDevice=56.91
[645228.294172] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[645228.294173] usb 1-2: Product: ZTE Mobile Broadband
[645228.294174] usb 1-2: Manufacturer: ZTE,Incorporated
[645228.294175] usb 1-2: SerialNumber: 1234567890ABCDEF
[645228.298872] usb-storage 1-2:1.0: USB Mass Storage device detected
[645228.298993] usb-storage 1-2:1.0: Quirks match for vid 19d2 pid 1225: 1
[645228.299069] scsi host3: usb-storage 1-2:1.0
[645229.318504] scsi 3:0:0:0: CD-ROM ZTE USB SCSI CD-ROM 2.31 PQ: 0 ANSI: 2
[645229.321200] sr 3:0:0:0: Power-on or device reset occurred
[645229.328269] sr 3:0:0:0: [sr0] scsi-1 drive
[645229.328455] sr 3:0:0:0: Attached scsi CD-ROM sr0
[645229.328522] sr 3:0:0:0: Attached scsi generic sg1 type 5
[645234.323025] usb 1-2: USB disconnect, device number 74
[645234.669842] usb 1-2: new high-speed USB device number 75 using xhci_hcd
[645234.829914] usb 1-2: New USB device found, idVendor=19d2, idProduct=1405, bcdDevice=56.91
[645234.829916] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[645234.829917] usb 1-2: Product: ZTE Mobile Broadband
[645234.829918] usb 1-2: Manufacturer: ZTE,Incorporated
[645234.829919] usb 1-2: SerialNumber: 1234567890ABCDEF
[645234.838214] cdc_ether 1-2:1.0 usb0: register ‘cdc_ether’ at usb-0000:00:14.0-2, ZTE CDC Ethernet Device, 0e:84:5a:xx:xx:xx
[645234.840017] usb-storage 1-2:1.2: USB Mass Storage device detected
[645234.840159] scsi host3: usb-storage 1-2:1.2
[645235.848009] scsi 3:0:0:0: CD-ROM ZTE USB SCSI CD-ROM 2.31 PQ: 0 ANSI: 2
[645235.849927] scsi 3:0:0:1: Direct-Access ZTE MMC Storage 2.31 PQ: 0 ANSI: 2
[645235.857944] sr 3:0:0:0: [sr0] scsi-1 drive
[645235.858179] sr 3:0:0:0: Attached scsi CD-ROM sr0
[645235.858260] sr 3:0:0:0: Attached scsi generic sg1 type 5
[645235.858417] sd 3:0:0:1: Attached scsi generic sg2 type 0
[645235.864894] sd 3:0:0:1: Power-on or device reset occurred[645235.875941] sd 3:0:0:1: [sdb] Attached SCSI removable disk

As usual, DHCP is enabled per default – ifconfig shows (partially censored)

usb0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet netmask broadcast
inet6 fe80::e540:9fc0:2exx:xxxx prefixlen 64 scopeid 0x20<link>
ether 92:0d:ef:xx:xx:xx txqueuelen 1000 (Ethernet)
RX packets 27 bytes 2637 (2.6 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 52 bytes 7333 (7.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

ip route gives a default route in lower metric – that’s fine:

default via dev usb0 proto dhcp metric 20100

Version information:

Software-Version BD_ATMF833VV1.0.0B02
Hardware-Version MF833V-1.0.0


The well known browser based and URI triggered modeswitch commands, that allowed the MF831 to be switched to modem mode, do not work on this model.

You won’t need that anyway: The Web interface has DMZ settings (but no port porward as the MF920 e.g.). The settings for DHCP can easily be adapted, too.

As long as your router understands to handle CDC mode LTE-Sticks there should be no problem. If your router uses as it’s default address, you are advised to change either that or the modems default IP before using both together.

The model, I have held in my hands does not support IPv6!

Nice: you can adapt MTU and MSS sizes from the GUI!



A very cheap LTE Class 4 USB modem (30 Euro) with hardware from the year 2017, it’s software carries a copyright notice from 2019. It is easy to handle, but it’s size, which is similar to the MF831 will probably block a neighbored USB port, physically. Better get an extension cable.

If you need a device, which is capable of IPv6 natively, if your ISP/mobile service provider does likewise, this stick is not for you. There simply is no sign of support for IPv6 anywhere in the software. DMZ features may allow you to use an external IP address, which is a most likely necessity for using 6in4 based IPv6 tunnel broker services today (6to4 and Teredo are almost no longer used for having severe disadvantages), if your MSP/ISP provides a public IP with your contract.


Fun with NFC tags

If your smartphone is capable of Near Field Communications, you can do funny things with a bunch of NFC stickers just like some NTAG 216 compatible tags.

E.g. Enhance your business cards with additional contact information, that’s wirelessly copied into some else’s phone. Set up your WIFI for guest’s just by touching the NFC sticker somewhere. Activate bluetooth and GPS on your phone, just by touching the tag attached to the car’s dashboard…

What you need


To be continued…

USB hub – per port power switching – an interim report.

Sometimes it happens, that my ZTE MF831 LTE stick, gets stuck somehow. It’s device id changes to something else, then documented in my other articel on this stick: ZTE MF831 for use with OpenWRT: serial modem instead of cdc_ether.

Usually, when that happens, only a full power cycle or unplugging and replugging helps.

Since none of my routers is capable of completely shutting down an USB port, there are only two possible solutions besides of using a timer clock, just in case.

a) to tinker with a relay or a transitor circuit, that will switch off the usb hub with it’s external power supply, when the usb port is shut down in software, alternatively use GPIO from your router

b) to get a PPPS USB Hub – a per port power switching hub already has builtin transistors for each of its port. If the hub chip supports PPPS, it will shut down a port completely, when software – like uhubctl signals it to do so.

But PPPS Hubs aren’t easy to identify and there is only a small number of products featuring PPPS.

The tool uhubctl supports some of these. Amongst them is the AmazonBasics USB Hub, 3.0 with 7Ports (Europlug and 12V/3A power adapter). Forget about the older D-Link DUB-H7 if, you don’t already possess on of the older silver cased version. The never revisions above 2.0 don’t support PPPS any longer.

You can find a list of uhubctl-compatible hubs here: https://github.com/mvp/uhubctl/blob/master/README.md

At the time I started searching for such a hub in september 2017, the model from Amazon Basics was the only one, that was really shipable. In the meanwhile there is also a model from TP-Link, the TL-UH700, but I haven’t yet analyzed that model. Also there is no hint given in the specification.

I have done some experiments with the Amazon Basics Hub connected to my TP-Link TL-WR1043ND v1 running OpenWRT. Unfortunately, while the switching of the ports worked well, a complete reset of the ZTE MF831 wasn’t possible. It seemed to still get enough current to remain in it’s locked up mode, which I guess, is Fastboot (or a similar) real download mode.

For other USB devices the PPP switching will work well. You can shut down a harddisk after use or switch an USB-LED or USB fan… Sounds like USB fun.

As soon as I find the time, I’ll resume my tests with a TP-LINK TL-WR1043NDv2 or a TP-Link TL-WR1043N v3.

Wifi Video Doorbell Analysis

Recently I decided, that a WIFI video doorbell would be a good investment. Since I can be quite penny-pinching, I ordered Generic TS-IWP708 Wifi Digital Wireless Video Tür Bell. By the time I bought it, it was around 30 Euros.

Here is my analysis of the device.

  1. Packaging and Content
    1. The Box
      The white box didn’t give many information. The top side had the general product name printed on it and some pictures of the package’s content are on the right side of the cartoon. Some bar code stickers were on the sides of the box, one of them had “TS-IWP708” printed beneath the code. No producer

      1. Contents of the Box
        1. User’s Manual (20 pages with colored illustrations)
        2. Door bell main unit in a recloseable plastic bag.
        3. Assembly frame featuring a rain shell
        4. Power adapter 230V to 5V 1A with a two-pin-header big CE logo.
        5. LAN adapter (8x17cm unshielded cables with an eight pin header on one end and a RJ45 female connector on the other side.
        6. An adapter consisting of three cables, each of 10.50 cm length with one three pin header on one side an open ends on the other.
        7. Two pieces of double-faced adhesive tape.
        8.  One bag with 4 pieces of cheap screw anchors an cheap screws and a small metal screw.Advertisement: If you are interested in webhosting, VPS an root servers, why don’t you have look at my list of ‘netcup’ vouchers – german quality hosting.
      2. Remarks:
        1. The manual doesn’t have any imprint or license information.
        2. The door bell has a bright enamel optic and a blue door bell touch button. There are two green leds left and right below that button. In the upper region there is the 640×480 camera an six IR leds, three on each side of the camera sensor. Speaker an microphone have slots in the casing. On the back side there is a sunk-in reset button. Two stickers on the back indicate “QC passed” and the date of production.
        3. The weather shell, if we can name that porch this way, has a whole on the buttom. We can use the small screw from to fix the door bell main unit with this casing. A burglar would have an easy role in unmounting the bell that way. I’d recommend to fill the screw with epoxy raisin, if you’d like to keed the device after reading all of this post.
        4. The power cord is ridiculously short for an outdoor door bell. It has approximately 80 cm length.
        5. The LAN adapter is unshielded, no twisted pairs. It might cause radio interference if used that way. I guess we schould wrap that with aluminium foil when mounting the device.
        6. The three pin adapter cable is for a door opener. I would use that, and I’ll explain this later in 3.2.
    1. Setup
        1. Preparations
          1. On page 7 of the manual you’ll find QR codes that should directly link you to Google Play or App Store. Well, for android, the link for Door Phone 4.1 was dead. I found an app called “Door Phone 4.4” (search term: “doorphone”) from “ShenZhen Gogo Link Tech.limited”, which worked for me
          2. Caveats: Before trying to connect, turn off your mobile internet on your smart phone. It will probably interfere with the detection of the doorbell (It may be a country specific effect due to IP address ranges used for 4g/3g/2g networks).
          3. Now plug in the power adapter, that you’ve previously connected to the back of the doorbell – it’s the two pin header.
          4. Wait for the doorbell to boot up. It will announce “welcome to smart home”. After that wait another 30 seconds then press the blue doorbell touch button for about five seconds an release it. The bell will talk again: “Network configuration mode, please set it down in five minutes”.
          5. As soon as you hear that, a wifi access point will be available, that transmits the SSID „GBELL-{parts of the unit’s MAC address}“. Connect to it. The password is 123456789.
          6. Now, that you are associated with the AP, open your app “Door Phone”. And follow the instructions from the manual on page 9. “Please click here to add bell”, then “Search”. Click on the text of the detected “GBELL …”.
          7. Now tap the gear-wheel icon and continue to set up the WIFI.
          8. Don’t forget to change your WLAN on your mobile, when the voice tells you to wait a few seconds.Advertisement: Now, that you’ve read so far, how about having look at my list of ‘netcup’ vouchers – german quality hosting.
        2. Finalisation
          1. Now that the unit has been set up, you will like to fine tune. First turn off the alarm sound from alarm settings, otherwise you’ll probably get crazy…
          2. Mind the “User settings”. Keep in mind, that the bell app won’t accept special chars and passwords must be longer than six chars, but apparently not longer than nine.
          3. Keep that in mind in order to be able to log back in after you changed the password – otherwise the reset button on the back needs to be pressed, and you have to start right from the beginning.Advertisement: How about some FreeTime Unlimited – Amazon content for your kids?
    2. Deeper inspections
      1. Services
        1. Doing a port scan on the unit’s IP address unveals three active TCP ports:
          23/tcp open telnet
          81/tcp open hosts2-ns
          8600/tcp open asterix

          1. The telnet service – or shall we call it backdoor? – can be accessed with the following credentials:
            user: root
            password: 123456
          2. On port 81, there is a web interface, that can be accessed with your users’ credentials. Keep in mind, that special chars don’t work, they are simply left out. The interface is more than crappy an should provide five basic functions:
            1. Video stream window – always black – disfunctional.
            2. WLAN scan – you can scan, but that’s all…
            3. Trigger the door opener, … well clueless, if the video and audio does not work here.
            4. Audio in – no function
            5. Audio out – no function
          3. The purpose of port 8600 is unclear at this point. It seems to be the “go-service”, that’s used for communicating with the app. I haven’t yet analysed that in deep, but it seems to be a monolitic multipurpose binary. It’s definitely not Asterisk.
        2. A deeper look into the firmware
          I used the telnet service with root permission to take a deeper look into the firmware. What I found:

          1. It’s running Busybox and Linux
            Surprise, the firmware uses a Realtek-SDK built on Linux 2.6 and nowhere in the packaging was any hint linking to the GPL license. No mention of reused code and licenses. I notified the producer „Sawful“ an Amazon about this. Waiting for an answer.

            #cat /proc/version 
            Linux version 2.6.21 (root@mailzxh-desktop) (gcc version 3.4.2) #655 Wed Nov 21 22:21:46 CST 2012
            # busybox 
            BusyBox v1.12.1 (2012-11-21 22:17:05 CST) multi-call binary
            Copyright (C) 1998-2008 Erik Andersen, Rob Landley, Denys Vlasenko
            and others. Licensed under GPLv2.
            See source distribution for full notice
          2. Hardware
            1. SoC: Realtek MIPS24K with rt5350 WIFI.
              # cat /proc/cpuinfo 
              system type : Ralink SoC
              processor : 0
              cpu model : MIPS 24K V4.12
              BogoMIPS : 239.10
              wait instruction : yes
              microsecond timers : yes
              tlb_entries : 32
              extra interrupt vector : yes
              hardware watchpoint : yes
              ASEs implemented : mips16 dsp
              VCED exceptions : not available
              VCEI exceptions : not available
              # ls /proc/rt5350 
              gmac skb_free tx_ring rx_ring cp0 esw_cnt
            2. RAM: 32MB
              # cat /proc/meminfo | grep MemTotal
              MemTotal: 29336 kB
            3. Flash
              1. Configuration/partitions
                # cat /proc/mtd 
                dev: size erasesize name
                mtd0: 00800000 00010000 "ALL"
                mtd1: 00030000 00010000 "Bootloader"
                mtd2: 00010000 00010000 "Config"
                mtd3: 00010000 00010000 "Factory"
                mtd4: 00100000 00010000 "Kernel"
                mtd5: 00330000 00010000 "RootFS"
                mtd6: 00300000 00010000 "sys"
                mtd7: 00080000 00010000 "param"

                So, this seems to be an eight megabite flash chip with 7 partitions.

                The firmware can be backed up using Busybox’s tftp client. Set up a TFTP server on a machine within the broadcast domain and run it with “tftp -l [local file] -r [remote file] -p [IP address of server]” to push the contents of  /proc/mtdblock* to your server.

              2. Partitions mounted as..
                # mount
                rootfs on / type rootfs (rw)
                /dev/root on / type squashfs (ro)
                proc on /proc type proc (rw)
                none on /var type ramfs (rw)
                none on /etc type ramfs (rw)
                none on /tmp type ramfs (rw)
                none on /media type ramfs (rw)
                none on /sys type sysfs (rw)
                none on /dev/pts type devpts (rw)
                /dev/mtdblock6 on /system type jffs2 (rw)
                /dev/mtdblock7 on /param type jffs2 (rw
            4. WIFI configuration
              iwconfig shows a ra0 RTWIFI SoftAP device and some wds-devices. wds0 has an SSID of GBELL… – so it seems, that the GBELL-AP is still configured, but I was unable to associate with it, assuming it was just a hidden SSID.
              apcli0 shows the client to the domestic main AP.I seem to be unable to find a regulatory domain setting for this device. It seems, we are restricted to the world domain.
            5. Active network services
              # netstat -aWp
              Active Internet connections (servers and established)
              Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 
              tcp 0 0* LISTEN 133/encoder
              tcp 0 0* LISTEN 28/telnetd
              tcp 0 0* LISTEN 31/go-daemon
              tcp 0 213 ESTABLISHED 28/telnetd
              udp 0 0* 133/encoder
              udp 0 0* 133/encoder
              udp 0 0* 133/encoder
              udp 0 0* 133/encoder
              udp 0 0* 133/encoder
              udp 0 0* 31/go-daemon
              udp 0 0* 133/encoder
              udp 0 0* 31/go-daemon
              udp 0 0* 133/encoder
              udp 0 0* 102/udhcpd
              udp 0 0* 133/encoder
              udp 0 0* 133/encoder
              udp 0 0* 133/encoder
              udp 0 0* 133/encoder
              udp 0 0* 30/cmd_thread
              Active UNIX domain sockets (servers and established)
              Proto RefCnt Flags Type State I-Node PID/Program name Pat
              1. Binary locations: /system/system/bin:
                # ls -la /system/system/bin
                -rwxr-xr-x 1 0 0 156768 go-daemon
                -rwxr-xr-x 1 0 0 8260 cmd_thread
                -rwxr-xr-x 1 0 0 877540 encoder
                drwxrwxrwx 5 0 0 0 ..
                drwxrwxrwx 2 0 0 0 .
            6. Camera:
              A snapshot of the camera can be retrieved using the following URL (credentials as chosen by yourself):
              According to the output of “strings encoder” on my local PC, videostream.cgi should be the corresponding URL for mjpg streaming. It does not work for me right now. The reasons are yet to be investigated.
          3. Security flaws
            1. Telnet with trivial credentials giving root permission level.
            2. WDS is probably susceptible to WPA-KRACK – yet to be tested. If hostapd is in the system binary of go-service, it would likely be, due to the age of the firmware and the fact, that wds configurations habe been used. KRACK mitigation would require not only the AP to fixed, but also most of the clients would have to be immunized to key replay attacks. It is to be expected, that many smart home gadgets haven’t received such an update.
    3. Conclusions
      This is one of the cheapest wifi doorbell devices. While the main unit is of a good design and is of surprisingly high quality at a first glance, the accessories are of surprisingly low quality.The manual isn’t up to date any longer. It also lacks any license information. The manufacturer does not currently publish the SDK used to create the binaries, that contain at least a Linux kernel and Busybox code – both have been released unter the GNU general public license. We’ll see, if the manufacturer or Amazon will react to that GPL violation hint.From a security perspective, a telnet daemon with no user changeable root credentials is an absolute no-go today, as it was 15 years ago. I found an article from Pentest Partners. The guys there have analysed a Maginon IPC-20C, that was built just around the same SDK/Framework – that article has been around for a while now: See: Hacking the IP camera (part 1).The doorbell would be much more comfortable to use, if the german translation of the Gogo-Link Door Phone App was a little bit better. There are also some untranslated chineses symbols. It would even be much better, if the device was equipped with a fully featured and working web interface to interact with. It is not. The fact of being addicted to an app, that already seems to have vanished from the Goolge Play in order to configure the doorbell is quite annoying.From a developers perspektiv, the device is quite interresting. I’ll have to look for some “Asterisk Camera Tools”, that speak the protocol of the go-daemon, which seems to be a static binary containing all necessary function, including a hostapd-alike (or even hostapd) service, or I’ll have to look for a way to get Open IP Cam running on that device. We’ll see.

Advertisement: Having read such a long text, don’t you think you are deserving of some tracks from Amazon Music Unlimited?




List of netcup.eu vouchers

If you are looking for cheap quality hosting (webhosting, VPS, rootserver, storage servers, domains, Plesk Onyx licenses, and even managed servers and colocation in Germany, you’ll probably like to have a look at netcup. Netcup is an austro-german company (see Anexia).

You can get your free voucher for various of their product at our sister site grundsoli.de or at hosting-groupie.de. You may choose in between a voucher of 5 Euro in value for new customers (domains excluded) or a permanent discount of up to 30% on netcup products. Just follow the link or copy the coupon’s code/voucher’s code an enter it at netcup’s webshop.

BTW: If you decided for more than one root server (RS), virtual private server (VPS) or a Storage Server, the following hint may come in quite handy: Did you know, netcup now offers a free 100Mbit/s cloud VLAN for the purpose of interconnecting your various root servers, virtual privates servers and storage servers? Look here for Cloud vLAN Free.

Here are vouchers for some their other products – one time use only – if all of the vouchers are depleted, just leave a comment. I’ll refill them ASAP.


Downgrading UBNT Nanostation M2 Loco (XM): ubnt downgrade code=2, msg=Firmware check failed

I recently tried to downgrade a UBNT Nanostation M2 Loco (XM version) in order to flash LEDE afterwards.

The problem is, that AirOS 6.0.6 needs signed firmwares and even original firmwares seem to miss a valid signature for this purpose.  Hence TFTP is always failing with “ubnt downgrade code=2, msg=Firmware check failed“. (Of course the web interface behaves likewise.

Here is what I did instead:

  1. Get a XM version of AirOS 5.5.11¹
  2. scp XM.v5.5.11.28002.150723.1344.bin ubnt@
    ssh -lubnt
  3. /sbin/fwupdate -m ²

Remark – all the steps in one command: ssh -lubnt ‘curl -o /tmp/fwupdate.bin http://dl.ubnt.com/firmwares/XN-fw/v5.5.11/XM.v5.5.11.28002.150723.1344.bin && /sbin/fwupdate -m’

Update: If /sbin/fwupdate does not work for you, look for /sbin/fwupdate.real. /sbin/fwupdate now seems to be a wrapper script, that’s simply invokes /sbin/fwupdate.real -m after doing some more checks (fwupdate.real -c). Use it at your own risk. Double check to use the right firmware file for your platform.


Now I have AirOS 5.5.11 on the device and can flash my individual LEDE 17.01.2 build from the AirOS webinterface. If I’d wanted to revert, I’d have to flash 5.5.11 or lower again according to OpenWRT’s/LEDE’s documentation.


1: http://dl.ubnt.com/firmwares/XN-fw/v5.5.11/XM.v5.5.11.28002.150723.1344.bin

2: https://help.ubnt.com/hc/en-us/articles/204959804-airMAX-How-do-I-upgrade-the-firmware-from-the-CLI-SSH-

3: https://community.ubnt.com/t5/airOS-Software-Configuration/Problem-upgrading-some-XM-devices-5-5-6-to-5-5-11/td-p/1324988

How to prepare TL-WR1043NDv1 for use with DD-WRT, OpenWRT or LEDE.

Alternative title: How to avoid bricking your router.


This is a published draft version for public review. Comments welcome.


Initial position:

When I started to develop a customized build of OpenWRT CC15.05/15.05.1 for my TL-WR1043NDv1, I ran into some problems. I bricked some of my routers. It also happened to me with the current the LEDE 17.01-rc2. Let my start from the beginning:

Continue reading How to prepare TL-WR1043NDv1 for use with DD-WRT, OpenWRT or LEDE.

Austria/various Mobile Broadband offers to be compared

The following is a list of new tariffs (snapshotted June 15th, 2016). The list will never be complete, it should just provide a little help. The focus is on mobile broadband offers with a “per x GB flat-rate”. See the list below the table for a list of austrian mobile providers.

„*“: List update December 14th, 2016
„**“: List update February 2nd, 2017

work in progress:

Continue reading Austria/various Mobile Broadband offers to be compared